Third-party audits verify our platform’s security
Posted by John Kleeman
2013 was a rough year for security and data privacy. The revelations of government surveillance on the Internet surprised many and revelations about credit card and other data theft have been disappointing.
As an assessment company, Questionmark has always taken security seriously. We know that our customers care deeply about keeping assessment content and results safe, and it’s important to get third party scrutiny and review. Our own internal teams follow strict coding guidelines which include code review and security testing and internal penetration testing. But we also have third parties do testing on us, to check that we are genuinely secure – not just believing our own marketing literature!
Some of this testing is done by customers. We support customers who need to run their own penetration tests on our platform. Much of this testing we cannot share due to confidential restrictions without an NDA with a customer. But I thought it helpful to share some results from one of our third party suppliers Veracode, who provide dynamic scanning tools we use on our OnDemand platform.
We have run separate Veracode dynamic scans on Questionmark OnDemand in our US and EU data centers, and also on Questionmark Live. In all cases the score from the penetration testing has been 98 / 100 or 99 / 100. There were two minor issues preventing a 100% score, disclosure of the operating system in use which is inevitable using the technology stack used by Questionmark and a minor cookie setting already slated for correction in our next release.
Customers who are interested in seeing more information on our Veracode scans can request this, subject to signing a suitable non-disclosure agreement (NDA). Note that Veracode is a trademark of Veracode Inc. The company does not endorse Questionmark and this blog post should not be interpreted as any validation by Veracode of Questionmark’s solutions.
Questionmark continues to improve our security. Each new release includes security improvements and we are continually improving our processes. There are many layers to security, including having certified data centers, a 3 tier architecture, implementing security from start to finish in software development, and by maintaining security during release, and much more. See my earlier article Hard and soft defences in our castle in the cloud for more on Questionmark security.
We hope that these penetration testing results will help give comfort that Questionmark takes security seriously. For more information on Questionmark security, you can see our security white paper: see here for the version relating to our European service and here for the version relating to our US service. You can also view this video about our security measures.